This article describes a blocking SSL VPN failed login attempts using an ISDB address object.
Scope
FortiOS 7.2.0 and later.
Solution
To address the issue of multiple and continuous failed SSL VPN login attempts from a set of IP addresses that belong to a specific ISDB object. Follow the below steps:
Step 1: Identifying a list of IP addresses for failed login attempts and associating IP addresses with ISBD objects.
Note down a few key remote IP addresses associated with failed VPN login attempts that are suspected as malicious.
- Navigate to Policy & Object > Internet Service Database > IP address Lookup tool.
- Use this tool recursively for noted IP addresses to identify a common ISDB address object.
In conclusion, this step identifies the ISDB object associated with multiple failed SSL VPN login attempts. As shown in the above screenshot, most of the attempts in this case were identified from the 'ColoCrossing-ColoCrossing.Hosting.Service' service and 'Hosting-Bulletproof.Hosting'.
Note:
If FortiGate does not display a specific ISDB entry for most of the IP addresses, it indicates that these IPs are not part of any specific ISDB object and the subsequent steps outlined in this document will not be applicable.
Step 2: Using ISDB object in firewall policy.
In the source address field, select the ISDB objects with source negate enabled for the allowed policy.
Step 2.1: Configure the FortiGate SSL VPN to listen on a loopback interface.
Configure a loopback interface with a /32 IP address that is not in use, as shown in the below screenshot.
Step 2.2: Listing SSL VPN on loopback interface instead of WAN.
This setting has to be changed on VPN > SSL-VPN Settings
Step 2.3: Create a virtual IP address object using a loopback interface.
To configure the VIP, set up the 'SSL VPN VIP' as shown in the below screenshot:
- ‘50.50.50.50’ is the public IP of the WAN1 interface in this scenario where SSL VPN listens, with an external port of ‘10443’.
- ‘10.254.1.1’ is the IP address of the loopback interface.
Step 2.4: Create a firewall policy from WAN to loopback using a VIP for the SSL VPN port.
The GUI method to configure the firewall policy is as follows:
To configure the 'Negate' option for source and destination addresses in firewall policies, go to System > Feature Visibility > enable 'Policy Advanced Options’.
Any further attempts from IP addresses belong these ISDB objects will be blocked by firewall policy and this will reflect in the VPN event logs as the failed SSL VPN attempt will reduce.
Note:
Additional restrictions on SSL VPN login attempts based on geographical IP address objects can also be configured in combination with this method. Follow the steps below link:
Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr...